lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.SGI.4.44.0208190446420.150820-100000@hexeris> From: aliver at xexil.com (aliver@...il.com) Subject: consumer "rights" vs real innocents Here is another item for discussion. What "rights" do software consumers really have? I'm not a lawyer, so I won't presume to address this from a legal perspective, but a moral one. Some people seem to think that no matter how ignorant a person is, that they should be shielded from the malice or ignorance of others. I'm not so sure about this. It begs the question, "is there a corrupt consumer public?" From observation, I'd say that there is. Most people buy MS products based on product image and the promise of quick gratification. For the most part they intransigently refuse to educate themselves. There is also a large group of people who continue to use software even after it proves to be dangerous. I worked for a company of about 13,000 people who continued to use MS Exchange + Outlook Express (in 2000) who got hit by the first generation of abook worms so many times that their mail servers were down for over 3 weeks during that year. Just plain stupid. Another point on this topic is that the public often supports companies who are, themselves, corrupt. They support MSFT who has pretty much succeeded in undermining some of the basic precepts of democracy and capitalism. Jefferson said "a fair field with no favors" and the Sherman anti-trust laws attempted to create a statute supporting that. MSFT through lobbying and careful manipulation continues to undermine not only the industry, but our actual country. They attempt to directly undermine smaller companies or efforts like Linux who might produce better products, rather than improve their own products to compete. The public, and our government turns a blind eye to this. They continue to buy their products for such trivial reasons as the fact that MSFT used the Rolling Stones in an advertising campaign. All this despite the ease of observation that they are a corrupt, and militant monopoly. I've read the Zarcadian position of the "hacker paladin". I find it fascinating, but also I think it's important to point out that they advocate protecting innocents, and draw some parallels to medieval serfs who were being victimized by greedy land barons, or simple bandits. However, there are some critical differences in many of the cases which we have been recently considering. First off, if a serf didn't pay his taxes to the provincial lord, or give his last gold piece to the bandit with notched arrow, then he was as good as dead. Today's consumers aren't in the same sort of plight. They have a choice where to spend their money, and they often make the wrong choice, for selfish or ignorant reasons. If they are subsequently victimized repeatedly by, say Microsoft + Outlook Express, then they share some of the blame in their fate. For whitehats to tell me that I've got to protect these types of people from (ultimately) themselves, is pretty aggravating. However, I'm not saying that the Zarcadian position is entirely flawed. In fact, quite the opposite. I stick by my assertion that exploits and "toolz" are something akin to weapons. Now, the "Templars" have a choice. Do you turn your weapons over to corrupt vendor, or make your tactics known to the corrupt public? NO. That'd render them useless. Why not use them to fight some meaningful battles against a truly evil enemy? Examples (IMO) include corrupt 3rd world governments, greedy corporatist who undermine our government, or pedophiles. If _you_ want to release your tools, exploits, or bug information to the public, fine. However, don't come to me with an attitude about how I'm cheating the poor, innocent public or altruistic corporation out of some badly needed security info. I work for myself, not for them, and the fruits of my labor are going to be used for my own purposes. Take your idiotic RFC's about the "right" way to release vulnerability info, and shove it. I've seen your brand of "ethics" at work, and I'm not impressed. aliver
Powered by blists - more mailing lists